b'                    U.S. Department of Agriculture\n                       Office of Inspector General\n\n\n\n\nUSDA\xe2\x80\x99s Management and Security Over\n     Wireless Handheld Devices\n\n\n\n\n                              Audit Report 50501-01-IT\n                                           August 2011\n\x0c                           United States Department of Agriculture\n                                   Office of Inspector General\n                                    Washington, D.C. 20250\n\n\n\n\nDATE:          August 15, 2011\n\nAUDIT\nNUMBER:        50501-01-IT\n\nTO:            Christopher L. Smith\n               Chief Information Officer\n               Office of the Chief Information Officer\n               ATTN: Sherry Linkins\n\n               Edward Knipling\n               Administrator\n               Agricultural Research Service\n               ATTN: Michelle Garner\n\nFROM:          Gil H. Harden /s/\n               Assistant Inspector General\n                for Audit\n\nSUBJECT:       USDA\xe2\x80\x99s Management and Security Over Wireless Handheld Devices\n\n\nThe report presents the results of our audit of the management and security over wireless\nhandheld devices. The response from the Office of the Chief Information Officer, which\nincorporates Agricultural Research Service\xe2\x80\x99s position, is included in its entirety in an exhibit in\nthis report. We accept management decision for Recommendations 1 through 5, all of the\nrecommendations in the subject audit.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\naudit fieldwork and subsequent discussions.\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................1\nBackground & Objectives .......................................................................................3\n   Background ...........................................................................................................3\n   Objectives ..............................................................................................................4\nSection 1: Security of Wireless Handheld Devices...............................................5\n   Finding 1: USDA Needs to Secure its Wireless Handheld Devices.................5\n         Recommendation 1 ........................................................................................7\n         Recommendation 2 ........................................................................................8\n   Finding 2: USDA Needs to Better Coordinate How its TMACOs Manage\n   Their Agencies\xe2\x80\x99 Handheld Wireless Devices .....................................................8\n         Recommendation 3 ......................................................................................10\n         Recommendation 4 ......................................................................................11\n         Recommendation 5 ......................................................................................11\nScope and Methodology.........................................................................................12\nAbbreviations .........................................................................................................14\nExhibit A: Testing Locations ................................................................................15\nAgency\xe2\x80\x99s Response .................................................................................................16\n\x0cUSDA\xe2\x80\x99s Management and Security Over Wireless Handheld\n\nExecutive Summary\n\nLike other Federal departments, the Department of Agriculture (USDA) increasingly relies on\nsmartphones and other handheld wireless devices to conduct its day-to-day business. These\ndevices are small, inexpensive, and powerful, but their portability poses new security risks for\nFederal agencies. Since smartphones can be easily lost or stolen, misplaced devices could be\nused to access, and potentially abuse, private or classified information. Given concerns about the\nsecurity of USDA\xe2\x80\x99s smartphones and other wireless handheld devices, the Office of Inspector\nGeneral (OIG) initiated this audit to evaluate USDA\xe2\x80\x99s management and implementation of\nsecurity measures over the use of mobile handheld device technology.\n\nOf approximately 10,000 wireless handheld devices USDA uses, we selected 277 devices at the\nAgricultural Research Service (ARS), the Animal and Plant Health Inspection Service, the Food\nand Nutrition Service, the Forest Service, the National Agricultural Statistics Service, and the\nOffice of the Chief Information Officer (OCIO).1 We found that these 277 devices were not\nadequately secured, as defined by guidance issued by the National Institute of Standards and\nTechnology (NIST).2 For example, we found wireless handheld devices that were not password-\nprotected, that had no anti-virus software installed, and that were not configured to encrypt\nremovable media, among other deficiencies.3 We also found that all 22 of the Department\xe2\x80\x99s\nBlackberry servers were not secured in accordance with Departmental guidance, and thus\nallowed users to disable their passwords or bypass the Department\xe2\x80\x99s internet content filters.4\n\nUltimately, these problems occurred because USDA chose to deploy wireless handheld devices\nusing a decentralized approach, but did not provide its agencies with clear guidance on how they\nwere to configure their devices and servers. The Departmental website for policies and\nprocedures listed ten documents pertaining to wireless handheld devices, but eight documents\nwere expired and another had been superseded. Moreover, none of these documents provided\nNIST-compliant security configurations for the various types of devices deployed throughout the\nDepartment.\n\nIn short, OIG found that USDA allowed these devices to proliferate throughout its agencies\nwithout establishing the guidance necessary to ensure that all agencies secured the information\nemployees would access with these devices. Without a more centralized approach for\nconfiguring and securing these devices, USDA\xe2\x80\x99s data are at risk of theft, inadvertent disclosure,\nor manipulation.\n\n\n1\n  In order to select these 277 phones, we first selected 40 sites where there were particularly high concentrations of\nwireless devices. When we visited, we reviewed the phones that were present.\n2\n  NIST Special Publication 800-124, Guidelines on Cell Phone and Personal Digital Assistant (PDA) Security,\nOctober 2008.\n3\n  Removable media refers to storage media which are designed to be removed from the device without powering it\noff. Such media are small and easily lost or stolen if removed from the device.\n4\n  OCIO, Baseline Configuration Standard, BlackBerry Enterprise Server Security Guide, Revision: 1.1, dated\nOctober 24, 2007.\n\nAudit Report 50501-01-IT                                                                                          1\n\x0cUSDA does require its agencies to establish a telecommunications management program charged\nwith responsibilities such as inventorying communications devices and reviewing\ntelecommunications services and equipment to ensure they are supported by documented\nbusiness need. The program is also responsible for maintaining cost-benefit analyses and all\nother documentation pertinent to the agency\xe2\x80\x99s decision for implementing telecommunications\nservices and equipment and ensuring the most cost-effective solution for program delivery and\nagency compliance with USDA standards. The positions that perform these functions are known\nas Telecommunications Mission Area Control Officers (TMACO).\n\nWe found, however, that the agencies did not emphasize the responsibilities corresponding to\nthese positions, and did not adequately train their TMACOs. These problems occurred because\nthe Department did not provide adequate policies and procedures that included detailed roles and\nresponsibilities for the TMACO position. Because there was not adequate guidance, TMACOs\nworking for several agencies did not take steps to realize rate savings in how their agencies used\nhandheld wireless devices, inventory their devices, or instruct their agencies\xe2\x80\x99 employees in how\nto properly use the devices.\n\nThe Department took action during the audit and issued policies that adequately addressed our\nconcerns regarding the management of wireless devices and the roles and responsibilities of the\nTMACOs. Based on our review of the revised policies, we have modified our recommendations\naccordingly.\n\nOIG concluded that USDA needs to take steps to secure the approximately 10,000 handheld\nwireless devices its employees currently use to accomplish their day-to-day business.\n\nRecommendation Summary\nIn this report, we have issued five recommendations, four to OCIO and one to ARS to strengthen\nmanagement controls. We recommended that OCIO develop NIST-compliant configuration\nguides for all approved wireless handheld device and server types and monitor agencies for\ncompliance; work with telecommunication vendors to develop and implement an electronic\nbilling process; and develop a centralized Departmental system to capture all pertinent data for\nall handheld devices, such as user, phone number, make, model, device operating system, and\ncurrent software level. We also made a specific recommendation to ARS to centralize its\nacquisitions and security over its wireless handheld devices.\n\nAgency Response\nOCIO generally concurred with the recommendations and ARS concurred with the\nrecommendation specific to the agency. OCIO incorporated ARS\xe2\x80\x99 position into one response.\nWe have included the response in its entirety at the end of this report.\n\nOIG Position\nWe accept management decision for all 5 recommendations presented in this report.\n\nAudit Report 50501-01-IT                                                                     2\n\x0cBackground & Objectives\n\nBackground\n\nCell phones and personal digital assistants have become indispensable tools for today\xe2\x80\x99s highly\nmobile workforce. Small and relatively inexpensive, these devices can be used not only for\nvoice calls, simple text messages, and personal information management (e.g., phonebook,\ncalendar, and notepad), but also for many functions performed at a personal computer, including\nsending and receiving email, browsing the internet, storing and modifying documents, delivering\npresentations, and remotely accessing data. While these devices provide productivity benefits,\nthey also pose new security risks. Because of their small size and use outside the office,\nhandheld devices are easier to misplace or have stolen than a notebook computer. If one of these\ndevices is compromised, it is possible to gain access to the information stored on the device or\nthe information the device is capable of accessing remotely.\n\nUSDA has adopted a decentralized approach to deploying wireless handheld devices\xe2\x80\x94each\nagency is allowed to purchase devices to meet its own business needs. We found approximately\n10,000 wireless handheld devices within the Department, including almost every brand and type\navailable, though most were Blackberry smartphones. Each agency followed its own procedures\nfor deploying the devices and implemented various levels of security.\n\nEach agency also designates a Telecommunications Mission Area Control Officer (TMACO)\nwho serves as the USDA agency or mission area representative on telecommunications matters,\nand approves orders for all telecommunications circuits, services, and equipment. The TMACO\nis the responsible source of technical expertise with regard to all telecommunications issues,\nspecializing in the development, implementation, and maintenance of efficient, cost-effective\ntelecommunications solutions.\n\nDepartmental Regulation (DR) 3300-001, Appendix B and C, Telecommunication and Internet\nServices and Use, dated March 23, 1999, requires agency and staff office managers to (1)\nestablish internal procedures to determine the risk of, and vulnerability to, telecommunication\nfraud, waste, and abuse on their networks; (2) implement cost-effective actions to minimize their\nexposure to telecommunication fraud, waste, and abuse; (3) educate employees on telephone\nfraud, waste, and abuse; and (4) mitigate risks of telecommunication fraud, waste, and abuse to\ntheir systems and networks.\n\nDR 3505-002, Appendix C, Wireless Networking Security Policy, dated August 11, 2009,\nrequires agencies to ensure that all wireless network devices are configured in\naccordance with applicable Federal Information Processing Standards and NIST Special\nPublications (SP) standards.\n\nNIST outlines many guidelines and requirements for agencies to follow as they deploy wireless\nequipment to their employees. NIST security practices require:\n\n   \xc2\xb7   the identification of an organization\xe2\x80\x99s information system assets and the development,\n       documentation, and implementation of policies, procedures, and guidelines.\n\nAudit Report 50501-01-IT                                                                    3\n\x0c   \xc2\xb7   that products of this type (smartphones and other wireless handheld devices) be checked\n       for compliance with organizational encryption policies.\n   \xc2\xb7   interfaces and unneeded features be turned off until they are needed.\n   \xc2\xb7   devices be centrally managed to simplify the configuration control and management\n       processes needed to ensure compliance with the organization\xe2\x80\x99s mobile device security\n       policy. Agencies should be able to remotely erase, disable, or lock a device in the event\n       it is lost or stolen.\n\nObjectives\n\nThe objective of this audit was to evaluate the management and implementation of security\nmeasures over the use of mobile handheld device technology within the Department.\n\n\n\n\nAudit Report 50501-01-IT                                                                    4\n\x0cSection 1: Security of Wireless Handheld Devices\n\nFinding 1: USDA Needs to Secure its Wireless Handheld Devices\n\nOf USDA\xe2\x80\x99s approximately 10,000 wireless handheld devices, we found that all 277 of those\nselected and tested were not adequately secured according to NIST standards.5 Ultimately, these\ndevices were not secured because USDA allowed its agencies to deploy them using a\ndecentralized approach\xe2\x80\x94essentially, permitting the agencies to purchase and use the devices\nthey felt they needed\xe2\x80\x94but did not provide the agencies with clear guidance on how to configure\nand use their devices securely. Unless the Department and its agencies take adequate steps to\nsecure these devices, sensitive USDA data are at risk of theft, inadvertent disclosure, or\nmanipulation.\n\nNIST requires that organizations centrally manage their devices to simplify the configuration,\ncontrol, and management processes needed to ensure compliance with the organization\xe2\x80\x99s mobile\ndevice security policy. NIST also requires that organizations inventory wireless handheld\ndevices, conduct assessments of the risks to their devices, encrypt data on the device, install anti-\nvirus software on the devices, use strong passwords to protect the devices, and back up any data\nstored on the devices.6 According to the Office of Management and Budget (OMB), Federal\norganizations are required to comply with NIST guidance.7\n\nWe found, however, that all 277 devices we tested in 40 locations did not meet NIST standards.8\nAmong the many deficiencies we found, 168 of these devices did not have adequate passwords,\nor had no passwords at all; 259 devices had no anti-virus software installed; and 139 were not\nconfigured to encrypt removable media.9 If these devices were lost or stolen, potentially\nsensitive Government information would be easily accessible.\n\nWe also found systemic security problems with all 22 Blackberry servers the Department uses to\ncontrol the approximately 10,000 devices. USDA issued the Blackberry Enterprise Server\nSecurity Guide, which recommended 228 settings that should be put in place on a Blackberry\nserver to enhance security and make it more difficult for sensitive data to be compromised in the\nevent the device is lost or stolen. However, we found that nearly 90 percent of the server settings\ndeployed were not set in accordance with the Department\xe2\x80\x99s security guide. None of the deployed\nservers were entirely compliant with the security guide, nor did we find waivers for any\nnoncompliant settings.\n\nThese systemic problems meant that USDA employees were able to use their devices for\npurposes that could compromise the security of the devices. For example, we found that five\n\n5\n  NIST SP 800-124, Guidelines on Cell Phone and PDA Security, dated October 2008; and OCIO, Baseline\nConfiguration Standard, BlackBerry Enterprise Server Security Guide, Revision: 1.1, dated October 24, 2007.\n6\n  Ibid.\n7\n  OMB A-130, Management of Federal Information Systems, dated November 11, 2000.\n8\n  See Exhibit A for listing of test locations.\n9\n  Removable media refers to storage media which are designed to be removed from the device without powering it\noff. Such media are small and easily lost or stolen if removed from the device.\n\nAudit Report 50501-01-IT                                                                                  5\n\x0cusers were using a university system for their Government email, which allows potentially\nsensitive Government email to reside on non-Government servers. Other users were receiving\nnon-Government email on their devices, which could allow potentially harmful and malicious\nsoftware to be inadvertently loaded onto Government devices. Some users were browsing\nprohibited internet sites, including a gentlemen\xe2\x80\x99s club site, a fantasy sports site, and a social\nmedia site.\n\nUltimately, these problems occurred because USDA chose to deploy these wireless handheld\ndevices in its various agencies using a decentralized approach\xe2\x80\x94agencies were allowed to\npurchase, configure, and use whatever smartphones or other devices they decided would be most\nconducive to their work\xe2\x80\x94but did not provide the agencies with clear guidance on how to\nadequately and securely configure these devices. NIST guidelines require that organizations\ncentrally manage their devices, since central management can provide significant security\nbenefits.10 For example, centrally managed phones could be inventoried, remotely \xe2\x80\x9cwiped\xe2\x80\x9d if\nstolen or lost, and have new patches installed and secure settings deployed when threats\nchange.11 Without a centrally managed solution, USDA is experiencing great discrepancies in\nhow its agencies deploy handheld wireless devices. We found, for instance, that one agency\ndeployed a version of iPhone with no security settings enabled.\n\nAdditionally, OIG maintains that USDA needs a more centralized approach to its wireless\nhandheld devices, if only so that it can accurately inventory the devices it deploys. When we\nbegan this audit, the Department was unable to provide a listing of all wireless handheld devices\nit deployed, and referred us to the agencies, not all of whom were able to provide an accurate\nlisting. One agency took more than 2 months to provide its inventory because it had\ndecentralized its own deployment of these devices and had not consolidated its inventory.\n\nTo meet NIST standards, OIG believes the most direct route to secure wireless handheld devices\nis to centrally manage them. Additionally, USDA should consolidate and improve the guidance\nit provides its information technology employees. In the past, USDA has provided guidance that\nwas not clear regarding how agencies should secure their wireless handheld devices. NIST\nrequires that Departments and agencies create policies and procedures on key aspects of security\nand management over wireless handheld devices.12 Of the ten documents pertaining to wireless\nhandheld devices that USDA published on its Departmental policies and procedures website, we\nfound that nine were superseded or expired. Nevertheless, we found agencies using the\nsuperseded and the expired policies and procedures.13\n\nBased on our review of these ten documents, USDA\xe2\x80\x99s available guidance does not meet NIST\nrequirements because it does not provide security settings for all the types of devices deployed\n\n10\n   NIST SP 800-124, Guidelines on Cell Phone and PDA Security, dated October 2008; and OCIO, Baseline\nConfiguration Standard, BlackBerry Enterprise Server Security Guide, Revision: 1.1, dated October 24, 2007.\n11\n   Remote wiping entails sending a signal to the sensitive Government information.\n12\n   NIST SP 800-124, device which completely obliterates all data on the device. This keeps lost or stolen phones\nfrom disclosing Guidelines on Cell Phone and PDA Security, dated October 2008; and OCIO, Baseline\nConfiguration Standard, BlackBerry Enterprise Server Security Guide, Revision: 1.1, dated October 24, 2007.\n13\n   During the course of this audit, the Office of the Chief Information Officer removed all expired and superseded\nDepartmental guidance from the website, and the Department began drafting new operational policies for wireless\nhandheld devices. However, security issues were not addressed in the new operational policies.\n\nAudit Report 50501-01-IT                                                                                      6\n\x0cby the agencies. At present, USDA is using Blackberry Enterprise Servers, Windows Mobile,\nand other enterprise solutions and servers, but the Department has no security configuration\nguides for these applications.\n\nEven when the Department did provide guidance, it often prescribed security settings that were\nless than optimal. Although encryption is an essential means of protecting data on a mobile\ndevice if it becomes lost or stolen, OCIO provided guidance that did not mention any\nrecommended settings for data encryption either for the device or for any associated external\nmedia (such as memory cards).\n\nOverall, we concluded that USDA needs to take steps to improve the security of its wireless\nhandheld devices. The Department should begin by centralizing how its agencies configure and\ndeploy their wireless handheld devices; at a minimum, the Department must provide its agencies\nwith clear, NIST-compliant guidance on how to configure all devices they are using. Given the\nseriousness of the problems we have found with USDA\xe2\x80\x99s security over wireless handheld\ndevices, and the fact that these problems are pervasive in so many different agencies, we are also\nrecommending that USDA monitor its application of these enhanced security procedures.\n\nDuring the course of the audit, the Department issued a detailed policy establishing the\nrequirements for planning and managing wireless technologies, centralizing acquisition, and\naddressing roles and responsibilities that cover several issues noted in this report. 14 Therefore,\nwe will not be making recommendations concerning those issues that were adequately covered in\nthe policy.\n\nRecommendation 1\nDevelop NIST-compliant configuration guides for all approved wireless handheld device and\nserver types. Require agencies to document reasons for any deviations.\n\nAgency Response\nOCIO concurs with this recommendation. OCIO has drafted a new Departmental Regulation,\nSecure Configuration Management Policy, based on NIST guidance. This new Departmental\nRegulation requires the use of Federal Government issued (e.g., NIST) secure configuration\nguides for all information technology devices used in USDA and the formal documentation of all\ndeviations. OCIO anticipates the publication of the new regulation by March 31, 2012.\n\nOIG Position\nOIG concurs with the management decision. OCIO has taken interim action to address this\nrecommendation. OCIO issued instructions, effective May 26, 2011, requiring all agencies to\ncomply with the NIST configuration guidelines.\n\n\n\n\n14\n  Departmental Manual (DM) 3500-005, Policies for Planning and Managing Wireless Technologies in USDA,\ndated November 10, 2010.\n\nAudit Report 50501-01-IT                                                                             7\n\x0cRecommendation 2\n\nDevelop and implement a process to monitor wireless handheld device and server configuration\nsettings to ensure they meet NIST requirements.\n\nAgency Response\nOCIO concurs with this recommendation and has drafted a new Departmental Manual (DM),\nUSDA Secure Configuration Management Procedures; expected publication is March 31, 2012.\n\nOIG Position\nOIG concurs with the management decision. OCIO issued instructions, effective May 26, 2011,\nrequiring all agencies to comply with the NIST configuration guidelines.\n\nFinding 2: USDA Needs to Better Coordinate How its TMACOs Manage\nTheir Agencies\xe2\x80\x99 Handheld Wireless Devices\n\nOf the 26 TMACOs working for USDA, we reviewed 6 and found that none were adequately\nmanaging and controlling how employees in their agencies used their wireless handheld\ndevices.15 Not all agencies had full-time TMACOs; some agencies had not granted their\nTMACOs the authority necessary to carry out their duties; and other agencies had not trained\ntheir TMACOs. These problems occurred because the Department did not centralize and\ncoordinate the work these employees were supposed to be performing. Without greater\ncoordination of agencies\xe2\x80\x99 TMACOs, different USDA agencies placed different emphasis on the\nTMACOs\xe2\x80\x99 roles and responsibilities, which resulted in USDA agencies not paying the lowest\npossible rates for their handheld devices, not being able to provide inventories of their devices,\nand not instructing employees in how they should use the devices.\n\nUSDA requires agencies to establish a telecommunications management program to include\nagency-wide and project-level management structures and processes responsible and accountable\nfor managing, selecting, controlling, and evaluating investments in telecommunications systems.\nAs part of that program, the TMACO\xe2\x80\x99s role includes validating telecommunication services\n(including handheld wireless devices); reviewing telecommunications services and equipment to\nensure they are supported by documented business needs; and completing proper technical\nanalysis. In addition, they are tasked with maintaining cost-benefit analyses and all other\ndocumentation pertinent to the agency\xe2\x80\x99s decision for implementing telecommunications services\nand equipment; and ensuring the most cost-effective solution for program delivery and agency\ncompliance with USDA standards.16\n\nWe found, however, that the TMACOs at the six agencies we reviewed did not have the\nresources and the authority they needed to accomplish their duties as required by Departmental\nregulations:\n\n15\n   The agency TMACO is designated within each mission area/agency and is empowered to control ordering and to\nprovide oversight when ordering network services.\n16\n   DR 3300-001, Telecommunication and Internet Services and Use, dated March 23, 1999.\n\nAudit Report 50501-01-IT                                                                                8\n\x0c       \xc2\xb7     Four did not have policies and procedures in place for their position.\n       \xc2\xb7     Three TMACOs\xe2\x80\x99 position descriptions defined their wireless device responsibilities as\n             \xe2\x80\x9cother duties as assigned.\xe2\x80\x9d\n       \xc2\xb7     One agency \xe2\x80\x93ARS\xe2\x80\x93 had not granted the TMACO the authority and responsibility for\n             centralized management of wireless devices.\n       \xc2\xb7     Two agencies\xe2\x80\x99 TMACOs were not granted authority by the agency to review\n             telecommunication acquisitions.\n       \xc2\xb7     Two were not the central point-of-contact for all telecommunication services within the\n             agency.\n       \xc2\xb7     Six did not maintain appropriate records for telecommunication services and\n             justifications for the products acquired.\n\nAll of the TMACOs we interviewed stated that they had not received formal training on their\nassigned duties and explained that they would benefit from training in their roles and\nresponsibilities.\n\nOne of the various responsibilities assigned to TMACOs, according to Departmental regulations,\nis the responsibility of ensuring that the agency is not paying more than it should for\ntelecommunication services.17 Based on our review of how the six agencies were billed over 3\nmonths, we determined that the TMACOs were not always adequately reviewing their bills. For\nexample, we found that:\n\n       \xc2\xb7     109 devices had overages totaling $23,823, including one user who had over $1,400 in\n             overage charges for a 3-month period while another incurred $975 in text message and\n             minute overages during that same period.\n       \xc2\xb7     491 devices had no activity (phone or data calls) during at least one billing cycle.\n       \xc2\xb7     20 employees at an agency were issued more than one phone.\n\nOIG also noticed that the agencies were receiving most of their bills on paper, which made it\ndifficult for the TMACOs to review their entire agency\xe2\x80\x99s activity on a monthly basis\xe2\x80\x94one\nagency\xe2\x80\x99s monthly bill consisted of more than 2,600 pages. In order for a TMACO to be able to\nreasonably review bills of this sort, the agency needs to work with the provider to receive a\nconsolidated, electronic bill that TMACOs can use to filter and organize the data.\n\nIn contrast, one of the agencies we reviewed\xe2\x80\x94the Animal and Plant Health Inspection Service\xe2\x80\x94\ndid dedicate a TMACO to managing its telecommunications. That TMACO consolidated rate\nplans, discontinued unused phones, and lowered the agency\xe2\x80\x99s average service line costs from $71\nto $41 per month, saving the agency more than $1.4 million in one year. We maintain that other\nagencies with a properly trained TMACO could realize similar types of savings.\n\nOIG also found that, although managing an inventory of wireless devices is one of the\nresponsibilities that Departmental regulations assign to TMACOs,18 the agencies we reviewed\n\n17\n     Ibid.\n18\n     Ibid.\n\nAudit Report 50501-01-IT                                                                         9\n\x0cfound it difficult to provide inventory information. For example, for one agency to provide us\nthis information, the agency\xe2\x80\x99s TMACO needed to conduct a data call of all the agency\xe2\x80\x99s\nregions\xe2\x80\x94a process that took 2 months.\n\nEven when the six agencies we reviewed were able to produce an inventory, we found that five\nof their inventories differed from the lists we developed from information on the Department\xe2\x80\x99s\nservers. We also observed other problems, such as blank fields for user names; missing phone\nnumbers, device types, and operating systems; and phone number fields populated with just the\narea code. Four agencies did not identify device make or model for 638 of the inventoried\ndevices, and one agency had at least 500 unknown device makes and models on its inventory.\nWithout this critical information being readily available, agencies will find it difficult to\nadequately address security incidents involving these wireless handheld devices, or deploy\nupdates to them.\n\nOIG maintains that TMACOs can provide USDA and its agencies with an important means of\nmanaging their telecommunications usage, particularly for wireless handheld devices. At\npresent, however, USDA agencies are not fully utilizing this resource. USDA needs to take steps\nto ensure that the agencies are fully and consistently using these staff positions to comply with\nDepartmental regulations.\n\nDuring the course of this audit, the Department issued a detailed policy establishing the TMACO\nposition, including roles and responsibilities, training, and certification that covers the issues\nnoted in this report.19 Based on our review of the revised policy, we modified our\nrecommendations.\n\nRecommendation 3\n\nWork with telecommunication vendors to develop and implement an electronic billing process\nthat would allow conversion to commercially available software so that TMACOs can more\neasily review all bills on a monthly basis. Once in electronic format both the agency and\nDepartment should develop standard queries for detecting fraud and waste.\n\nAgency Response\nOCIO concurs with this recommendation. DM 3300-005, Policies for Planning and Managing\nWireless Technologies in USDA, November 10, 2010, addresses program requirements for the\nfinancial management of wireless communications equipment and billing. There is a current\nwireless billing online process that was put in place in 2009. Wireless bills are scanned by the\nNational Finance Center (NFC), placed into a repository in St. Louis and reviewed and accessed\nby the TMACOs. In January 2011, OCIO started developing a replacement for the current\nonline process; which will be announced via memo to the agencies as soon as the procurement is\nfinalized. Once awarded, the USDA Cellular program will provide a centralized\n\n\n19\n  DR 3300-020, Telecommunications Mission Area Control Officer (TMACO) Roles and Responsibilities, August\n30, 2010.\n\nAudit Report 50501-01-IT                                                                            10\n\x0cProgram Office which will oversee the USDA Cellular Service Plans and inventory oversight.\nOCIO anticipates the award of a Blanket Purchase Agreement and project completion by\nMarch 31, 2012.\n\nOIG Position\nOIG concurs with the management decision.\n\nRecommendation 4\n\nDevelop a centralized Departmental system to capture all pertinent data for all handheld devices,\nsuch as user, phone number, make, model, device operating system, and current software level.\n\nAgency Response\nOCIO partially agrees with this recommendation. OCIO recognizes USDA has a decentralized\nprocurement process for handheld devices. In its response, dated June 16, 2011, OCIO stated it\nis developing a memorandum explaining the unification of USDA\xe2\x80\x99s Cellular procurement,\npricing, inventory, and management under a single program office within OCIO servicing all\nUSDA agencies and offices through the General Services Administration and service providers.\nOCIO plans to issue this memorandum by July 31, 2011, and anticipates the award and\ncompletion of this project by March 31, 2012.\n\nOIG Position\nOIG concurs with this management decision. The contract should include the provision for\nconsolidating the agency inventories to a Departmentwide inventory.\n\nRecommendation 5\n\nARS should centralize the acquisition and security over its wireless handheld devices.\n\nAgency Response\nARS concurs with this recommendation. In its response provided to OCIO, June 2, and\nsubsequent correspondence on July 11, 2011, ARS stated that the agency plans to implement\nprocedures to manage the acquisition of handheld devices within ARS. Such procedures would\ninclude standardizing all ARS handheld devices, a process, requiring TMACO approved for\nhandheld purchases, and a process to ensure security policies are installed on handheld devices\nprior to deployment. ARS\xe2\x80\x99 OCIO is currently in the process of writing formal Policy and\nProcedures for this process, expected completion is first quarter of fiscal year 2012.\n\nOIG Position\nOIG concurs with the management decision.\n\nAudit Report 50501-01-IT                                                                   11\n\x0cScope and Methodology\nOur audit focused on all wireless handheld devices that USDA operated from November 1, 2009,\nthrough April 30, 2010. We defined wireless handheld devices as machines capable of sending\nand receiving Government email, accessing the global contacts list, downloading software\napplications, and browsing the internet.\n\nFrom the total population of smartphones USDA operated (approximately 10,000), we selected\nsites with the highest concentration of smartphones for detailed field testing. Thus, we reviewed\nsix agencies: the Agricultural Research Service, the Animal and Plant Health Inspection Service,\nthe Food and Nutrition Service, the Forest Service, the National Agricultural Statistics Service,\nand the Office of the Chief Information Officer. We then visited a total of 40 sites in 30\nlocations where we interviewed users and physically inspected their wireless handheld devices\n(see Exhibit A for a list of the locations we visited).\n\nWe ascertained whether users had been advised about the acceptable uses of the device, and that\nthe devices had been properly configured to safeguard against network intrusion, data loss,\nmalware, and viruses. Additionally, we wanted to ensure the Department and agencies had\nestablished policies and procedures that properly implement NIST guidelines and best practices\nfor smartphone usage and deployment.\n\nWe designed audit tests to support our audit methodology, and ultimately, our audit objective.\nSpecifically, we:\n\n   \xc2\xb7   devised tests to inspect smartphone server configuration settings that we then deployed to\n       the individual devices.\n   \xc2\xb7   inspected Department and agency policies and procedures to ensure regulatory guidance\n       had been implemented.\n   \xc2\xb7   scanned all Department Blackberry Enterprise Servers for known vulnerabilities.\n   \xc2\xb7   analyzed the effectiveness of the TMACOs\xe2\x80\x99 role, including analysis of cellular phone\n       bills for inefficiencies and evidence of abuse.\n   \xc2\xb7   conducted interviews with various USDA personnel to gather information pertaining to\n       the audit.\n\nAdditionally, our team developed standardized checklists and physically tested devices to ensure\nthey were configured according to policy and regulatory guidelines, and were being properly\nutilized. Our team created a non-statistical sample of device phone numbers to test at each\nagency location; however, the actual testing was based on user and device availability during our\nsite visit. After identifying a smartphone user at the agency location, we interviewed the user\nand inspected the user\xe2\x80\x99s device. The responses to each checklist question were documented and\nsubsequently compiled into a summary spreadsheet by agency.\n\n\n\n\nAudit Report 50501-01-IT                                                                   12\n\x0cAs a basis for the audit findings, we compared the results of the audit tests against Departmental,\nagency, and NIST guidance. Some of the guidance used during the course of the audit included:\n\n   \xc2\xb7   NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information\n       Systems, December 2007.\n   \xc2\xb7   NIST SP 800-124, Guidelines on Cell Phone and PDA Security, October 2008.\n   \xc2\xb7   DR 3505-002, Wireless Networking Security Policy, August 11, 2009.\n   \xc2\xb7   DR 3300-001, Telecommunications and Internet Services and Use, March 23, 1999.\n   \xc2\xb7   Departmental Manual 3550-003, Chapter 10, Part 3: Portable Electronic Devices and\n       Wireless Technology, February 8, 2006.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards required we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\n\n\n\nAudit Report 50501-01-IT                                                                     13\n\x0cAbbreviations\n\nARS          Agricultural Research Service\n\nDR           Departmental Regulation\n\nDM           Departmental Manual\n\nGSA          General Services Administration\n\nNFC          National Finance Center\n\nNIST         National Institute of Standards and Technology\n\nOCIO         Office of the Chief Information Officer\n\nOIG          Office of Inspector General\n\nOMB          Office of Management and Budget\n\nPDA          Personal Digital Assistants\n\nSP           Special Publication\n\nTMACO        Telecommunication Mission Area Control Officer\n\nUSDA         United States Department of Agriculture\n\n\n\n\nAudit Report 50501-01-IT                                      14\n\x0cExhibit A: Testing Locations\nThe following locations were visited by OIG during the course of the audit.\n\n   \xc2\xb7   Phoenix, Arizona\n   \xc2\xb7   Tucson, Arizona\n   \xc2\xb7   Denver, Colorado\n   \xc2\xb7   Fort Collins, Colorado\n   \xc2\xb7   Dover, Delaware\n   \xc2\xb7   Washington, District of Columbia\n   \xc2\xb7   Fort Pierce, Florida\n   \xc2\xb7   Chicago, Illinois\n   \xc2\xb7   Lombard, Illinois\n   \xc2\xb7   Ames, Iowa\n   \xc2\xb7   Des Moines, Iowa\n   \xc2\xb7   Manhattan, Kansas\n   \xc2\xb7   Topeka, Kansas\n   \xc2\xb7   Annapolis, Maryland\n   \xc2\xb7   Beltsville, Maryland\n   \xc2\xb7   Columbia, Missouri\n   \xc2\xb7   Jefferson City, Missouri\n   \xc2\xb7   Kansas City, Missouri\n   \xc2\xb7   Springfield, Missouri\n   \xc2\xb7   Albuquerque, New Mexico\n   \xc2\xb7   Raleigh, North Carolina\n   \xc2\xb7   Research Park, North Carolina\n   \xc2\xb7   Corvallis, Oregon\n   \xc2\xb7   Eugene, Oregon\n   \xc2\xb7   Tangent, Oregon\n   \xc2\xb7   Arlington, Virginia\n   \xc2\xb7   Rosslyn, Virginia\n   \xc2\xb7   Olympia, Washington\n   \xc2\xb7   Pullman, Washington\n   \xc2\xb7   Spokane, Washington\n\n\n\n\nAudit Report 50501-01-IT                                                      15\n\x0cAgency\xe2\x80\x99s Response\n\n\n\n\n                           USDA\xe2\x80\x99S\n\n\n\n    OFFICE OF CHIEF INFORMATION\nOFFICER AND AGRICULTURAL RESEARCH\n               SERVICE\n\n\n\n             RESPONSE TO AUDIT REPORT\n\n\n\n\nAudit Report 50501-01-IT                16\n\x0c         \xe2\x80\xa2\n\n\n\n\n                        USDA                                                 JUN 1 6 1011\nUnit..; 5",\xe2\x80\xa2 \xe2\x80\xa2\nDop.nmon, el\n,olQ,l<uI\'u,.\n\n01\'<0 oI tI1. Cill. ,   TO:               Gil l!. Ibrdcll\nIn\'"",",,,,,,   ~,\n                                          Assisl,lIlt Inspeclor Ge ller;,l for Audit\n14 00 lodo;II " tIO=                      om.. c of In spector Gene ral\n",,",\'05\\\'/\nW",hln ~ t on .   DC    FROM :            Christopher L Smith           t/i----       7....     /         ,\n20250                                     Chicflnforrnatioll Oniccr                                 -~\n                                          Omec of the C hief Intormmion Officer\n\n                        SUBJECT: \t        US!),\\ \'s M,"\'\'\'!:cmcnl ,nld Securily O"~r Wireless Ilandhcld Devices\n                                          (A udit 5050 1-1-1\'1\') DRi\\I\'T\n\n\n                        ThJnk you for the opportuni ty to review and pro,-ide COIl lmcnls on the subje\'ct      dr~ft\n                        3udil report .\n\n                        Finding I; USDA Needs tu Sr"uno          i! \xc2\xa7   Wireless   Il\'Lllllh ~ ld   Dr "ires\n\n                        Itccommcm.ialiull 1: Develop NmiOTwl In~lil lli C ofSt:lI\\tlards ami Tc clmology (NIST)\xc2\xad\n                        comp li.ml cuniigLlrali on guides lor all approved wireless handheld dc\\\'kc and server\n                        l)\'jlCS. I{cquire agenci e, to dOCll1llC,\' t r~" SO!l> for :my d~\\\' ialions.\n\n                        Offire of Ili e C II id In rornl\'llilill OrliCH (OC I0) l~cs l\' OIl ~ C\n                        OC IO agrees wilb th is reconlmcnd"tion . OC IO ha s drJfled ,\\ new Departmental\n                        Regil lmion (DR) tilled "Sec ure Co nfi guration /I\'I\'\'\'l\'\'gC!l1Clll Poli cy" b"s~d on NIST\n                        guili:mce. TI,i. DR wi1l 5u!X\' r~cde Departmental !ll,m""l (OM) 3520-000 C (lllfigur;ltiun\n                        /I\'!anagelll~nt . dated. 07i I510-t. 3520\xc2\xb700 I; CM I>olic)\' & Rcspon sibil iti cs. d~ted 7117/0-t;\n                        3535\xc2\xb7000 C2 Cont rolled Access I\'rutcctioll - GClleral Infonnatioll , dated 511 1/05: \'"U!\n                        3535\xc2\xb700 1 USDA\'s C2 Le\\\'c l ofTr",!. ,bled 02/\\ 7105. Thi s IIC W DR r.:quircs the usc of\n                        Federal Go\\\'cm mcnt issu~~1 (~.g. N IST) s~>cur~ contiguralioll guides for all information\n                        (ecl1!l010gy dcvices lI sed in US!),\\ and formal doc umentation of all deviati ons. This\n                        regulation is cuncn!ly in OCIO rwkw.\n\n                        Addition:l ll y, on May 26. 20 11. the Associate Chief Infom1<lIion Offi cer (AC IO) for Ihe\n                        Agric li hu rt: Scc uri ty Opel1l1ions Center (ASOC) is , ued a mClllor;II,dulll 10 al l agency\n                        Chie f III fonmll ion Officers ,md In fo rm atio n Systems Security !\'ro!:"!!ll M"nagers\n                        requiring the li se ofN IST Sec urity Co nti gnwt;OI1 Chec klists.\n\n                        ESlim \'lled Co mpletion Datc: We ;1!\\ticip;ltC publicali<)i1 of thc lIew DR by\n                        March 3 1. 20 12.\n\x0cllrco mmrndnlioll 2: Develop :Inti impkrn~nl a process 10 monitor wireless hamlhel<l\n<lcvice (lild servcr contigllr:ll;on selling.> to CIISur~ thcy m~CI N IST rcqlli relllcm s.\n\nOCIO l~cs pol1 s c\nOCIO agrees with 11,;s rccoIll II H.\'ll(ialion. OCIO has drJfied :1 li e\'" D,\\ llit kd "" USDA\nSecure Contigllfaliol1 /I.];]nag~nwnt I\'roccdll re~:\' This lIl:lnual is ClIlTl,mtl y in O C IO\nrevlcw .\n\nEstim\'llt"{1 CO Ill]lktion D\'lle: We all ticipme pllblicmion of the IIC\'" D;\\1 by\n"\'Iarch 31. 2012,\n\nFi I1din~ 2: US I) A ,\' \\ ccds 10 Beller Coord ilia t\\" 11 01\\\' i r.~ Telel"o rn 11111 II ic"Iiuus\ni\\I i ~s ion An\'" Cu nlrol Officers (Ti\\lACOs) \'" """gr The! r Age ll eic~\' II nml hehl\nWireless Ill\'\\"kcs\n\nl~ eeul1llm\'n dnli o l1   J : Work ",ith tck!;Ol1lI11lIJlie"tion vendors to d~\\"clo]l an,1\nimpkment :1I1 electronic billing prOl\':css th"t would al low !;olllwsion to commercially\navai lable soliw:!re so th:ll T.\\IACOs can more easi Iy r~view "II bi lis on a momhl y basis.\nOnce in eicctro n;!; fonn:1I both tlte "geney and Department should develop stamianl\nqIlene s for detecting fraud and W:lste ,\n\noelo I~es l\'o n se\nOCIO "grces with thi s reeoT11T11~ndation. 0 .\\13 300\xc2\xb7005. Policies for I\'lalming and\n/I."anagi ng Wireless T~\'Chnologies in USD,\\. NO"elnb~r I O. 20 I0, addresses program\nrequirements for the financi"lm(ln;l!;Cmenl ofwircle5s cOlllmuni!;at;ons equipulcm (11,,1\nbillin!;. There is a current wireless billings on line proc~5S that was put in pl:!ee ill 2009.\nWireless hill s arc SC3111le<l by the National Finance Center (md placed into a repository\nin S1. Louis ami reviewed :md aecess~"{] bytheT ~\'IACO\xc2\xb7s. In January 20 11. OCIO\nstarted <le\\\'eloping " replacement for the current oli line process. which will be\naT11Ioulleed vi a memo 10 the agencks as soon :IS the procurement is finali zed. Onee\n:""<lnkd the US!),\\ Cellular program will provide a centrali zcd I\'rogmm Office ",I,ieh\nwill oversee the USDA Ce llular Service I\'!all s allli the ill\\\'ClltOI)\' oversight.\n\nI\' ti              ",!in,," t \':      We anticipale award of a Il1\'A                             ;111(1   completion by\n\n\nIh\'commcntinliol14; D~\\"el op:l cClltr.lli zcd Departmental systel1lto capture all\npertinent data for all handheld lIedces. snch as user. phone number. make. model.\ndevice oper.lI;ng sys tem, and current soft",:." le\\\'el.\n\noelo l~ts l\\o l1 se\nOCIO panially agree s with thi s f<\'Conlnwmiatiou. US DA h:l s a ,lccel1tr; lli zed\nprocuremcnt prOl\':e ss for h:II\\\\lhcld dC"ices. Agencie s maintainlheir own inventory\ninfonnmiol1. OC IO is dC"elop;,I!;" l1\\elll0r.IIIUll11ltO unify USDA Ccl hliar\nprocurement. pricin g. irwentory. :I"d management IIII\\\\er" si ll gle program office within\nOC IO. servic ing all USDA agencies and oflkes and the elltcrpr;sc I"Cpresent:!ti\\"!; to the\nGener:ll Services ,\\dministration and service providers. OCIO will implement :1\nsolution for T;\\ 1ACO\' s to usc for ill"elllory mallagement for ;111 agcllcies\' wireless\n,\\Cviees . OC 10 will issue the mCl11or;md"," by J111 )\' 201 I \xe2\x80\xa2\n\n\n                                    \xe2\x80\xa2, \' 1:<.01 .\\1.   ,wr,,,rn   ~I I   \\ \' "-\'11\' 1. \'01\'1."\n\x0cE~li rn al~d   Compiction Dat e: We :I111 icipate award and   ~ompl ction   by M:lrch 31, 20 12.\n\nIh\'C() IlIIl1 ~ lIllmioll 5; The Agric ulttm: Rese~rch Scn\'ice (A RS) shou ld central ize the \n\nacquisi tion :I nd securi ty over its wireless hanllildt! lleviees. \n\n\nOCI O I~C~ llOlI~C \n\nOCIO alit! ,\\R S agree with thi s rcconlln~l\\li\'l1 ion. \n\n\nDue to the d~celltralized bud gdary process within ARS. the age nc>\' plan s to implemellt \n\nthe following proc~"<iures to l11aTwge the act] uisi tion of hamih c1d deviee s w ithin ARS: \n\n      \xe2\x80\xa2 \t S\\,TlTdardize al l ,\\R S Iwnl!Tcld deviees th at will be identifkd as supported in\n          th e USDA Enterprise ~kssaging System:\n      \xe2\x80\xa2 \t Ulili~c a proc~s s that is rout cd Ihro"gh [he Age"e), T,\\ IACO to appro"~\n          handheld pu re ltascs:\n      \xe2\x80\xa2 \t \'O,IACO approves pu re has~ ami ,locuTlTcnts sp~cilicitics in a ma n ag~d\n          database:\n       \xe2\x80\xa2 \t Uns upported dev iccs wo uld be s~nt through the T"\'IACO as a "wail\'er\n           process" wilh thc DCp\'lrtmcnt h\'ldng the final approval: and\n       \xe2\x80\xa2 \t All handh eld deviees ",iIlIT:lve Dcp"rtrncnt sccuritYJlolieies ,(ppli ed through\n           onc of\\\\\\"o processes.\n\n           Sec urity\n               o \t Once con nec ted the Department Enterprisc i\\1cssaging System (E)" IS)\n                   security policies ~ rc inswlled on h;l nd held dc,\xc2\xb7ices.\n               o \t Il,mdheltl devices not connected to Dcpartment Ei\\IS \\\\"il1 be\n                   pro" isio ll ed witlt securit y policie s by local IT speci\'ll ists before being\n                   dq ll oyed for usc.\n\nE<lim\'lted Completion Qate: I\'endi ng       D~partmcllt~1   guidance on wireless techno logies\nwi ll be supported in tlT c BI\'OS EMS.\n\nOCIO w ill conti nue to keep tlte Office of Insrcc lOr GCllcral abreast of our progress on\nthese recommendation s. If furth er iTlfonn~tioTl is needed. pkasc COIl1:1ct Shcrry\nLi nki ns. OC IO Audit Liaison at 202-720\xc2\xb79293.\n\ncc:\nCIt,lrles T. )"1c Clmn. D~pUl>" Clt ieflnfomm tion omcer\nRichard Coffee. Act ing /\\C IO\xc2\xb7CI\'I\'O\nChr istoplt cr Lo\\\\"e. ACIO\xc2\xb7ASOC\nLel1tlctt;o Eli as. I\'rogr:.,m Analyst. OCFO\nOWCIl Unangst. Director\xc2\xb7 IO,\\\nS IT err), Linkins. OC IO\nC>,nhia Sclt wind. OC IO\n\x0c'